cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1866
Views
15
Helpful
2
Replies

DNA external User authentication via Tacacs+

KristofB
Level 1
Level 1

Hi Community,

 

I’m trying to setup External User authentication via Ubuntu Tacacs+ for DNA.

However I cannot get it to work?!

 

My tac_plus.conf is something like this;

 

group = netadmin {

        default service = permit

        service = exec {

                priv-lvl = 15

                cisco-av-pair="Role=SUPER-ADMIN-ROLE"

                }

 

user = tacadmin {

        login = cleartext "password"

        pap = cleartext "password"

        member = netadmin

 

Whatever syntax I try; “Cisco-AVPair”, no priv-lvl, other AAA attribute, other service name,….  None of them seem work?

 

Authentication seem to work;

Mar 14 08:10:00 Ubuntu-Tacacs tac_plus[17968]: connect from x.x.x.x [x.x.x.x]

 

Kibana;

Error : Exception with authenticating or authorizing Tacacs server:

In some situations the error was something about “null” response

 

(Testing with DNA 2.2.3.4)

 

Anyone any idea?

 

1 Accepted Solution

Accepted Solutions

KristofB
Level 1
Level 1

Hi Mike,

Thanks for thinking with me!

 

Meanwhile I discovered the solution after a zillion tries

I was wondering what ‘service’ I needed to use in tacacs+, because it’s not ‘exec’.

And I notice following from ISE details in that document;

KristofB_0-1647332622130.png

  • Wonder where this comes from? you don’t set it as far as I know?!

And indeed, when I’m using “cas-service” it works!

        service = cas-service  {

                cisco-av-pair="Role=SUPER-ADMIN-ROLE"

                }

 

Very nice!

Beware DNA does PAP authentication, it does not work with login (as IOS device do)

If I understand it well, login and PAP are both cleartext ASCII so level of security is the same, there is none.

However Tacacs+ is using encryption (based on the shared secret) for the complete session, so this shouldn’t be an issue right?

 

(I assume there is no way to change DNA from PAP to something else?)

 

Thanks community!

 

K

View solution in original post

2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

Are you able to set the type to mandatory and test again?  Try taking a peek at the attached document to see if it helps assist with troubleshooting.

KristofB
Level 1
Level 1

Hi Mike,

Thanks for thinking with me!

 

Meanwhile I discovered the solution after a zillion tries

I was wondering what ‘service’ I needed to use in tacacs+, because it’s not ‘exec’.

And I notice following from ISE details in that document;

KristofB_0-1647332622130.png

  • Wonder where this comes from? you don’t set it as far as I know?!

And indeed, when I’m using “cas-service” it works!

        service = cas-service  {

                cisco-av-pair="Role=SUPER-ADMIN-ROLE"

                }

 

Very nice!

Beware DNA does PAP authentication, it does not work with login (as IOS device do)

If I understand it well, login and PAP are both cleartext ASCII so level of security is the same, there is none.

However Tacacs+ is using encryption (based on the shared secret) for the complete session, so this shouldn’t be an issue right?

 

(I assume there is no way to change DNA from PAP to something else?)

 

Thanks community!

 

K

Review Cisco Networking for a $25 gift card